The U.S. Securities and Exchange Commission (SEC) promulgated new rules on cybersecurity disclosures, which went into effect on September 5, 2023. Generally, the rules require public companies to promptly disclose material cybersecurity breaches and to provide annual disclosures regarding the company’s cybersecurity strategy, risk management, and governance. Under the new rules, public companies must provide:
- A disclosure in Form 8-K with information regarding a material cybersecurity incident within four business days after the incident is deemed material.
- An amendment of a prior Form 8-K disclosure of a cybersecurity incident to add any required information that was not unavailable when the initial Form 8-K was filed.
- Annual disclosures in Form 10-K describing the company’s “processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.”
- Annual disclosures in Form 10-K describing “management’s role in assessing and managing material risks from and “the board of directors’ oversight of cybersecurity risks.”
The SEC’s rules are meant to provide investors with timely, consistent, and actionable information related to cybersecurity. As risks related to cyberthreats grow in significance and impact on business’s bottom lines, many investors may consider a company’s cybersecurity program relevant to their investment decisions.